1. Field of the Invention
This invention relates to systems and methods for detecting violations of an email security policy in a computer system, and more particularly to the use of probabilistic and statistical models to model the behavior of email transmission through the computer system.
2. Background
Computer systems are constantly under attack by a number of malicious intrusions. For example, malicious software is frequently attached to email. According to NUA Research, email is responsible for the spread of 80 percent of computer virus infections (Postini Corporation, Press release “Postini and Trend Micro Partner to Offer Leading Virus Protection Via Postini's Email Pre-processing Infrastructure,” Online Publication, 2000. http://www.postini.com/company/pr/pr100200.html.) Various estimates place the cost of damage to computer systems by malicious email attachments in the range of 10-15 billion dollars in a single year. Many commercial systems have been developed in an attempt to detect and prevent these attacks. The most popular approach to defend against malicious software is through anti-virus scanners such as Symantec and McAfee, as well as server-based filters that filters email with executable attachments or embedded macros in documents (Symantec Corporation, 20330 Stevens Creek Boulevard, Cupertino, Calif. 95014, Symantec worldwide home page, Online Publication, 2002. http://www.symantec.com/product, and McAfee.com Corporation, 535 Oakmead Parkway, Sunnyvale, Calif. 94085, Macafee home page. Online Publication, 2002. http://www.mcafee.com).
These approaches have been successful in protecting computers against known malicious programs by employing signature-based methods. However, they do not provide a means of protecting against newly launched (unknown) viruses, nor do they assist in providing information that my help trace those individuals responsible for creating viruses. Only recently have there been approaches to detect new or unknown malicious software by analyzing the payload of an attachment. The methods used include heuristics, (as described in Steve R. White, “Open problems in computer virus research,” Online publication, http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html), neural networks (as described in Jeffrey O. Kephart, “A biologically inspired immune system for computers,” Artificial Life IV, Proceedings of the Fourth International Workshop on Synthesis and Simulation of Living Systems, Rodney A. Brooks and Pattie Maes, eds. pages 130-193, 1994), and data mining techniques (as described in Matthew G. Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J. Stolfo, “Data Mining Methods For Detection Of New Malicious Executables,” Proceedings of the IEEE Symposium on Security and Privacy, Oakland, Calif., May 2001, and Salvator J. Stolfo, Erez Zadok, Manasi Bhattacharyya, Matthew G. Schultz, and Eleazar Eskin “MEF: Malicious Email Filter: a Unix Mail Filter That Detects Malicious Windows Executables,” Online publications, http://www.cs.columbia.edu/ids/mef/rel papers.html). An email filter which detects malicious executables is described in Schultz et al. U.S. patent application Ser. No. 10/208,432, filed Jul. 30, 2002, entitled “System and Methods for Detection of New Malicious Executables,” which is incorporated by reference in its entirety herein.
In recent years however, not only have computer viruses increased dramatically in number and begun to appear in new and more complex forms, but the increased inter-connectivity of computers has exacerbated the problem by providing the means of fast viral propagation.
Moreover, violations in email security policies have occurred which are marked by unusual behaviors of emails or attachments. For example, spam is a major concern on the internet. More than simply an annoyance, it costs corporations many millions of dollars in revenue because spam consumes enormous bandwidth and mail server resources. Spam is typically not detected by methods that detect malicious attachments, as described above, because spam typically does not include attachments.
Other email security violations may occur where confidential information is being transmitted by an email account to at least one improper addressee. As with spam, such activity is difficult to detect where no known viruses are attached to such emails.
Accordingly, there exists a need in the art for a technique to detect violations in email security policies which can detect unauthorized uses of email on a computer system and halt or limit the spread of such unauthorized uses.